What Makes a Good Risk Management and Compliance Programme (RMCP)? A Practical Guide Using Guidance Note 7A of FICA

Share This Post

Why Your Risk Management and Compliance Programme Matters More Than Ever (and How to Get It Right)

Your Risk Management and Compliance Programme (RMCP) is not a regulatory box-tick. It’s the operational playbook that shows how your organisation identifies, assesses, and mitigates money laundering and terrorist financing (ML/TF) risks in real time.

FICA Guidance Note 7A (GN7A) is clear: You must design a risk-based, operationally embedded, business-specific RMCP. If it lives in a policy folder and never reaches frontline teams, it fails.

What Makes a Good RMCP? (Spoiler: A Generic Template Won’t Work)

Below are the seven essentials. Use them as a build-or-review checklist.

1. Start With Your Business Model

A strong Risk Management and Compliance Programme (RMCP) reflects your actual products, services, clients, and delivery channels—not a copy-paste template.

GN7A Expectation: Apply a risk-based approach to CDD, ongoing monitoring, and reporting across the business.

Action Tip: Add sector-specific risk typologies and red-flag examples (e.g., fintech wallets, wealth structuring, gaming payouts) so teams recognise real risks fast.

2. Make Governance and Accountability Unambiguous

Next, document who owns what: MLRO, compliance officer, business unit leads, board committees, and escalation points.

GN7A Requirement: Capture governance roles, decision rights, and escalation paths in writing.

Action Tip: Build an RMCP Ownership & Escalation Matrix. Get board sign-off and diarise annual confirmations.

3. Define — and Use — Your Risk Assessment Methodology

Then, show how you score ML/TF risk across customers, products, geographies, and channels. Include scoring criteria, thresholds, data inputs, and treatment plans for higher-risk categories.

GN7A Reference: The Risk Management and Compliance Programme must demonstrate a dynamic, ongoing risk assessment process.

Action Tip: Create a risk scoring matrix or heatmap. Review it at least annually—or sooner when new risk factors emerge (e.g., new digital channels, sanctions events).

4. Apply Risk-Based CDD, EDD, and SDD

After rating risk, translate it into what level of due diligence you perform and when.

GN7A Alignment: Scale CDD proportionate to risk; avoid one-size-fits-all onboarding.

Action Checklist:

  • Define trigger events (threshold breaches, adverse media, PEP hits, unusual source of funds).

  • Map document requirements to each risk tier (standard / enhanced / simplified).

  • Build workflow prompts in onboarding systems so analysts don’t miss steps.

5. Embed Screening, Monitoring, and Reporting

Move from paper to practice by operationalising:

  • Sanctions, PEP & adverse media screening (at onboarding and ongoing).

  • Transaction monitoring with risk-sensitive rules or scenarios.

  • Regulatory reporting workflows for STRs, SARs, and CTRs.

GN7A Clarity: Document who monitors, what tools you use, and which thresholds apply.

Action Tip: Include alert handling procedures with decision logs and audit trails for every Submitted / Not Submitted Suspicious Transaction Report decision.

6. Control Records, Reviews, and Version History

You must be able to prove what you did—and when.

Document:

  • What records you retain.

  • Where and how you store them.

  • Retention periods (5 years is common under FIC-related obligations; confirm if longer rules apply).

  • Review cycle and last update date.

GN7A Reminder: Keep a full version history and show how you responded to audit findings, regulatory changes, or emerging risks.

Quick Win: Add a Version Control & Change Log table to the back of your RMCP template.

7. Prove Practical Implementation

Finally—and most importantly—evidence that your Risk Management and Compliance Programme actually drives daily operations.

GN7A Highlights: The RMCP must align with real practices in onboarding, screening, monitoring, training, and reporting.

Implementation Evidence Examples:

  • Link RMCP paragraphs to SOPs, system screens, and workflow IDs.

  • Track staff training completion by role and risk exposure.

  • Use internal audit or quality assurance testing to confirm procedures match the RMCP.

  • Capture exceptions and remediation actions in a central register.

Quick RMCP Self-Assessment

Use this fast check before your next audit or regulatory review:

  • ✅ Is the RMCP tailored to your business model and risk profile?

  • ✅ Can teams operationalise it without guesswork?

  • ✅ Do controls, monitoring rules, and reporting flows match the document?

  • ✅ Has the RMCP been reviewed, updated, and signed off in the last 12 months (or sooner after major change)?

If you answered “no” to any item, start updating now.

How Navigate Compliance Can Help

When you need to move from policy intent to operational evidence, we can support you end to end:

We help you:

  • Design operationally embedded RMCPs aligned to your real risk drivers.

  • Map and align content to FIC Guidance Note 7A and related FICA obligations.

  • Build risk heatmaps, scoring tools, and reporting workflows you can maintain.

  • Train frontline, compliance, and board stakeholders on RMCP execution and oversight.

Let’s strengthen your RMCP before regulators ask the hard questions.

👉 Email: info@navcompliance.co.za
👉 Enrol in our AML learning programmes to master RMCP design, rollout, and testing from start to finish.

More To Explore

Start Learning today!

Take the next step in your compliance journey!